undefined | Better HN

0 pointsstickfigure8h ago0 comments

This is all way too much. If you see a duplicate idempotency key, skip the replay and always return 409. This becomes a client problem. Clients already need to help enforce idempotent contracts; "check for conflict response" is not an onerous imposition.

I've built multiple ecommerce APIs with this approach and they work great. No heroic measures required. You can often satisfy this contract with a unique constraint; if not, a simple presence check in redis. No hashing or worrying about PII.

My rant about this: https://github.com/stickfigure/blog/wiki/How-to-%28and-how-n...

0 comments

jeremyjh2h ago

I really like that article, thank you for sharing it again. I wish I had read it a decade ago, or even the first time you submitted it - I had to learn some of these things the hard way.

I agree with you - I don't think Stripe has made the right choices here and its unfortunate that it has inspired so many other people to make the same poor choices. I don't agree that their system is as sound as always returning 409s. I think having a short window where you return response bodies is fine, but after that they should still be sending 409s. If no one will ever actually resend a request after 24 hours how is it not fine to send 409s when they do? They've chosen to implement the more expensive choice and then not back it with the cheapest one.

1 more reply

halestock7h ago

But that's not idempotent? If I'm a client and I don't know if the original request went through, getting a 409 on any subsequent requests tells me nothing about whether the original request was successful or not.

stickfigureOP7h ago

Retries will only receive 409 if the original request was successful. If the original request failed, the server performs the operation as normal on the second request. It doesn't replay failures.

The whole point of the idempotence mechanism is so you can make a reliable distributed system. If the first try fails, the client doesn't know if it succeeded or not, so the client should try again later ("at-least-once"). The idempotence mechanism just ensures that we don't get duplicates in the case that the first try actually succeeded.

If you replayed failures there wouldn't be any point to the idempotency key.

pdonis7h ago

What if the original request is still being processed when the retry comes in? That doesn't fall into either of your categories: the request isn't successful, but it hasn't failed either.

5 more replies

whoamii6h ago

You are improvising, and in the process, changing the semantics of a well established design pattern. Do not recommend.

1 more reply

hamdingers6h ago

If you're a client using the same idempotency key for a materially different request you have a bug.

theptip5h ago

Yes, and if you are building a payment API you need to be robust to client bugs.

2 more replies

onionisafruit7h ago

The 409 should come with an id or a url the client can use to find the original result.

stickfigureOP7h ago

...and if you're using the approach of "let the client pick ids", you don't even need that. The client has everything it needs.

1 more reply

pverheggen6h ago

I really like this approach, and am going to keep it in my back pocket.

However, it's good for e-commerce where there are a subset of "important" operations, but I'd argue the idempotency key is better for a financial API like Stripe where the majority of your operations need these semantics.

You also run into a problem if PUT/PATCH needs to be exactly-once instead of at least once. Not as common, but again, might be something you run into with a financial API.

stickfigureOP5h ago

There's nothing special about any particular HTTP method; it is the inherent nature of distributed systems that you can not have exactly-once semantics with a single HTTP request. To create exactly-once semantics, you need a client which retries until success and a server which prevents duplicates.

The only difference between the approach I'm describing and Stripe's approach is the detail of how the client knows that it's done. "My" mechanism (notify the client that a request is a duplicate) was dominant in financial transaction processing systems before Stripe; I used probably a half dozen of them back in the day.

Stripe came along and from the beginning decided "we want to compete based on making a friendly API". They succeeded, and if you ever look at Paypal's original API, it's easy to see why. It's true that repeating successful API responses makes life slightly easier for clients; they never need to check for a 409 (or whatever) response. It comes at a cost of making life quite a bit more complex on servers. Personally I don't think the tradeoff is worth it, but YMMV. If your single competitive advantage is "easy API" maybe it makes sense. If you're normal B2B, almost certainly not.

malux85new18m ago

Exactly - junior engineers haven't yet developed a good taste of "how much the system should try and deal with errors" - so they always go way overboard to guess and try and fix errors way too much. I agree with you - this is a client error - 409 and make them fix the bug on their side. Clean, reliable, simple, separation of responsibility.

reactordev40m ago

This is because there are countless tutorials and slop on the internet that says, no, instructs, you to handle idempotency on the client instead of where it belongs. Server-side.

mamcx6h ago

And a good way to convey this contract is force the clients to hash-chain the calls, so is now more clear that it should do (and even can detect the send will fail at client side)

j / k navigate · click thread line to collapse

0 comments

jeremyjh2h ago

I really like that article, thank you for sharing it again. I wish I had read it a decade ago, or even the first time you submitted it - I had to learn some of these things the hard way.

1 more reply

halestock7h ago

stickfigureOP7h ago

Retries will only receive 409 if the original request was successful. If the original request failed, the server performs the operation as normal on the second request. It doesn't replay failures.

If you replayed failures there wouldn't be any point to the idempotency key.

pdonis7h ago

What if the original request is still being processed when the retry comes in? That doesn't fall into either of your categories: the request isn't successful, but it hasn't failed either.

5 more replies

whoamii6h ago

You are improvising, and in the process, changing the semantics of a well established design pattern. Do not recommend.

1 more reply

hamdingers6h ago

If you're a client using the same idempotency key for a materially different request you have a bug.

theptip5h ago

Yes, and if you are building a payment API you need to be robust to client bugs.

2 more replies

onionisafruit7h ago

The 409 should come with an id or a url the client can use to find the original result.

stickfigureOP7h ago

...and if you're using the approach of "let the client pick ids", you don't even need that. The client has everything it needs.

1 more reply

pverheggen6h ago

I really like this approach, and am going to keep it in my back pocket.

You also run into a problem if PUT/PATCH needs to be exactly-once instead of at least once. Not as common, but again, might be something you run into with a financial API.

stickfigureOP5h ago

malux85new18m ago

reactordev40m ago

This is because there are countless tutorials and slop on the internet that says, no, instructs, you to handle idempotency on the client instead of where it belongs. Server-side.

mamcx6h ago

And a good way to convey this contract is force the clients to hash-chain the calls, so is now more clear that it should do (and even can detect the send will fail at client side)

j / k navigate · click thread line to collapse